Re: [edk2-devel] [PATCH v2 0/4] Ovmf: Disable the TPM2 platform hierarchy

public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed

From: "Stefan Berger" <stefanb@linux.ibm.com>
To: James Bottomley <James.Bottomley@HansenPartnership.com>,
	devel@edk2.groups.io, stefanb@linux.vnet.ibm.com,
	jiewen.yao@intel.com
Cc: marcandre.lureau@redhat.com, lersek@redhat.com, dick_wilkins@phoenix.com
Subject: Re: [edk2-devel] [PATCH v2 0/4] Ovmf: Disable the TPM2 platform hierarchy
Date: Mon, 9 Aug 2021 14:28:38 -0400	[thread overview]
Message-ID: <d3862548-639d-846a-2257-81278d6a1ab9@linux.ibm.com> (raw)
In-Reply-To: <854e9cbc40b1a03204ed0a58aa639c4bc4a75c63.camel@HansenPartnership.com>


On 8/9/21 1:54 PM, James Bottomley wrote:
> On Mon, 2021-08-09 at 12:37 -0400, Stefan Berger wrote:
>> This series imports code from the edk2-platforms project related to
>> changing the password of the TPM2 platform hierarchy and uses it to
>> disable the TPM2 platform hierarchy in Ovmf. It addresses the Ovmf
>> aspects of the following bugs:
>>
>> https://bugzilla.tianocore.org/show_bug.cgi?id=3510
>> https://bugzilla.tianocore.org/show_bug.cgi?id=3499
> This raises a couple of issues:
>
>     1. Since OVMF is for all x86 virtual platforms not just the PC ones,
>        should it be following the PC client spec for everything?  I notice
>        you left out Xen and Bhyve ... should they never follow this?

I am not sure how to build Bhyve but one part of the patch is already 
there for it in this series:


If this is how you build Bhyve I am getting a build failure already 
before these patches here are applied.

build -p OvmfPkg/Bhyve/BhyveX64.dsc -b DEBUG -a X64 -t GCC5 -D 
TPM_ENABLE -D TPM_CONFIG_ENABLE -D SECURE_BOOT_ENABLE -D 
NETWORK_TLS_ENABLE 2>&1 | tee build.log
Build environment: Linux-5.12.14-300.fc34.x86_64-x86_64-with-glibc2.33
Build start time: 14:21:41, Aug.09 2021

WORKSPACE        = /home/stefanb/dev/edk2
EDK_TOOLS_PATH   = /home/stefanb/dev/edk2/BaseTools
CONF_PATH        = /home/stefanb/dev/edk2/Conf
PYTHON_COMMAND   = /usr/bin/python3.9


Processing meta-data .
Architecture(s)  = X64
Build target     = DEBUG
Toolchain        = GCC5

Active Platform          = /home/stefanb/dev/edk2/OvmfPkg/Bhyve/BhyveX64.dsc


build.py...
/home/stefanb/dev/edk2/OvmfPkg/Bhyve/BhyveX64.dsc(198): error 000E: 
File/directory not found in workspace
/home/stefanb/dev/edk2/OvmfPkg/Bhyve/Library/PlatformSecureLib/PlatformSecureLib.inf


>     2. Since OVMF is effectively both the platform and the firmware, what
>        attitude should we take to code in edk2-platforms?  There are
>        arguments for pulling all the necessary components into OVMF, but it
>        could also be argued that the VMM should take care of all the edk2-
>        platforms pieces and OVMF should be strictly firmware.

That's what I had been wondering about in V1 as well. This import here 
now followed the option 2 in that discussion and I cut out basically 
only the function that disables the platform hierarchy rather than 
setting a random password, which I kept since it didn't seem to require 
further dependencies. to be imported from edk2-platforms.


>
> Getting 2. sorted out is probably the more pressing policy issue for
> us.
>
> James
>
>

     prev parent reply	other threads:[~2021-08-09 18:28 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-08-09 16:37 [PATCH v2 0/4] Ovmf: Disable the TPM2 platform hierarchy Stefan Berger
2021-08-09 16:37 ` [PATCH v2 1/4] OvmfPkg/TPM: Import PeiDxeTpmPlatformHierarchyLib.c from edk2-platforms Stefan Berger
2021-08-09 16:37 ` [PATCH v2 2/4] OvmfPkg/TPM: Add a NULL implementation of TpmPlatformHierarchyLib Stefan Berger
2021-08-09 16:37 ` [PATCH v2 3/4] OvmfPkg: Reference new TPM classes in the build system for compilation Stefan Berger
2021-08-09 16:37 ` [PATCH v2 4/4] OvmfPkg: Disable the TPM2 platform hierarchy Stefan Berger
2021-08-09 17:54 ` [edk2-devel] [PATCH v2 0/4] Ovmf: " James Bottomley
2021-08-09 18:28   ` Stefan Berger [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=d3862548-639d-846a-2257-81278d6a1ab9@linux.ibm.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox